PROGRAMS

INDUSTRY

COMPANY

Attack of the Server Snatchers

community of crackers who are ready, willing and able to hit any site thats not secured, can governments protect themselves?

Although system administrators and CIOs might think their Web sites are protected, the dynamic aspects of computer security means that just as problems are patched, new vulnerabilities crop up, said Dan Mayer, CIO of Clearwater, Fla., who had the unenviable chore of cleaning up after the citys official Web site was attacked by World of Hell twice in June.

Add to that the speed of modern communications and crackers have a recipe for striking any number of vulnerable sites.

"With the Internet and with the exchange of information [and] the number of hackers out there testing firewalls and other software fortifications for holes; its just a matter of time before they find another trick to get in and then share that with several thousand fellow hackers," Mayer said. "The thing to do is to be redundant and be diversified in the types of defenses you use. Use a software firewall; use a hardware firewall; go with different manufacturers."

Mayer said Clearwater will likely institute a quarterly or biannual review to assess its defenses against intrusions and to make sure there are no loose ends.

But governments, along with the private sector, often face a resource crunch when it comes to securing Web sites, said Scott Fairholm, director of Virginias Department of Information Technology.

"As you move from upgrade and patch-to-patch, hackers are going to move from upgrade and patch-to-patch with you," Fairholm explained. "Its an evolving process. We try to stay one step ahead, but - there are a lot of people out there with a lot of free time on their hands, and we dont have the kind of free time that other people do."

Fairholm, like Mayer, had the job of cleaning up after World of Hell defaced a mirror of the states official Web site in June.

"As we move into doing more and more things online, you will see more and more incidences of people trying to get into government systems," he warned. "I expect to continue to have attempts on our systems."

Fairholm said keeping up with the latest versions of software and patches is perhaps the best way to safeguard a Web site, along with trying to crack your own site to gauge where weaknesses are.

"If were aware of all of our vulnerabilities, we can patch those quickly," he said. "You cant stand still in this environment."

Despite the best efforts of systems administrators and CIOs, crackers arent convinced governments can secure their systems.

"No computer is unhackable/uncrackable," said up|4|grabs. "There will always be holes, it just depends on the amount of time a person is willing to put into breaking into a computer."

Crime and Punishment

The crackers interviewed didnt seem worried about getting caught, despite being under investigation. Crackers know that jurisdictional issues hinder local or state law enforcement agencies in their attempts to track perpetrators of computer-related crimes.

"I personally am being investigated for my [Virginia] state defacement along with the other 17 I have done," said World of Hells Dawgyg. "I dont think the government has the knowledge to trace us; at least not at the state level. They will need to get the federal government in this if they [want to] catch us."

Another World of Hell member, Cowhead2000, said that he, Dawgyg and Messiah-X together have hit at least 25 state sites.

"I do not think anyone will get raided or be in any real trouble, because most of the [World of Hell] members are out of this country entirely, and most members are smart enough to delete logs, clearing most